Date: Wed, 23 May 2001 10:59:07 +0600 From: "Sergey N. Voronkov" <serg@tmn.ru> To: Alex <alex@nixfreak.org> Cc: Kris Kennaway <kris@obsecurity.org>, freebsd-security@FreeBSD.ORG Subject: Re: Is there a ftp vuln in 4.3-STABLE Message-ID: <20010523105907.A15346@sv.tech.sibitex.tmn.ru> In-Reply-To: <Pine.BSF.4.32.0105230033440.1300-100000@magnetar.blackhatnetworks.com>; from alex@nixfreak.org on Wed, May 23, 2001 at 12:35:15AM -0400 References: <20010523100448.A15088@sv.tech.sibitex.tmn.ru> <Pine.BSF.4.32.0105230033440.1300-100000@magnetar.blackhatnetworks.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, May 23, 2001 at 12:35:15AM -0400, Alex wrote: > > When I'v found this staff in my logfiles I'v change native ftpd to luke's > > one. Sorry, can't get core to you... And don't want to setup native daemon > > to provide potential hole to someone. > > > > May 16 15:50:34 ftp /kernel: pid 5272 (ftpd), uid 14: exited on signal 11 > > May 17 21:02:20 ftp /kernel: pid 11157 (ftpd), uid 14: exited on signal 11 > > Who owns UID 14 own that machine? Not root I presume. So the > process itself that segmentation faulted wasn't actually executed by root. > Is UID 14 an FTP account for running the daemon? > UID 14 is for FS access only. ftpd is running with root privileges, becose it can't make new connection from privileged port (ftp-data, for example) when it isn't root-privileged. So, any potential hole or buffer overflow in ftpd is permission to someone to get root shell onto your ftpserver. chroot'ed shell, but root's in any case. About UID 14: It'l be very very nice if someone can tell me about dumping core from seteuid'ed ftpd to ANY specifyed directory? Bye, Serg. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010523105907.A15346>